Electronic health records: Milestones and growing pains

Catherine Bruno, Eastern Maine Healthcare Systems, will be speaking today at a Brookings Institute event on” Health IT in an Era of Accountable Care.” Watch the webcast here. The session is an update on the Beacon Community Program which ” provides funding to 17 selected communities throughout the United States that have made inroads in developing secure, private, and accurate systems of electronic health record adoption and health information exchange.

Two reports released Tuesday by the inspector general of the Health and Human Services Department find that the drive to connect hospitals and doctors so they can share patient data electronically is being layered on a system that already has glaring privacy problems. Connecting it up could open new pathways for hackers, investigators say.

Our review found that ONC had application information technology (IT) security controls in the interoperability specifications, but there were no HIT standards that included general information IT security controls. General IT security controls are the structure, policies, and procedures that apply to an entity’s overall computer operations, ensure the proper operation of information systems, and create a secure environment for application systems and controls. At the time of our initial audit, the interoperability specifications were the ONC HIT standards and included security features necessary for securely passing data between EHR systems (e.g., encrypting transmissions between EHR systems). These controls in the EHR systems were application security controls, not general IT security controls.

We found a lack of general IT security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals. Those vulnerabilities, combined with our findings in this audit, raise concern about the effectiveness of IT security for HIT if general IT security controls are not addressed.

In a response to the OIG, former HIT chief David Blumenthal says his office is on it. He says that the effort needed to find a way to endure the security of health information while avoiding the creation of “an onerous burden of clinical requirements,” that would prevent providers from adopting HIT.

ONC’s primary mission is to promote the adoption of health IT in support of improved healthcare: better outcomes, fewer errors, less costs. Consequently, in the early stages of adoption effort, under HITECH, ONC has worked to strike the right balance between ensuring the security of health information among new adopters while not creating such an onerous burden of clinical requirements that the primary adoption goal would fail to be achieved. By the end of the HITTECH-related wave of health IT implementation in 2015, ONC expects to have a well developed set of certification criteria that, coupled with practices initiated under the CMS meaningful use rule, will form a strong security framework for the use and exchange of electronic health information.

Adoption is not the whole story, however. There are many health IT users who are not eligible for Meaningful Use incentives. But unless the entire health IT ecosystem participates in good security practices, the well secured could face risk from the less secure. Therefore, ONC addresses security and cybersecurity at the enterprise level, with a strategic plan that considers all components of the greater world of heath IT. HITECH required ONC to revise and update its Federal Health IT Strategic Plan. A key elelment of that plan is health IT security. ONC’s Office of the Chief Privacy Officer is in the final stages of drafting a comprehensivelivc security strategic plan that details its plans in this regard. ONC agrees with the sentiment expressed by HITSC vice-chairman John Halamka: “security is an end-to-end process…” We support the vision of enterprise -class health IT security and have taken clear steps to bring this vision to fruition. It is a task neither fast nor easy, but it is one to which ONC remains fully committed

For the past 3 years, Massachusetts has led the country in e-prescribing due to the combined efforts of our payers and our healthcare information exchange. I follow the evolution of e-prescribing with great interest.

Key findings in the Surescripts report include:

Electronic Prescribing Use* Prescription Benefit: Electronic responses to requests for prescription benefit information grew 125% from 188 million in 2009 to 423 million in 2010.* Medication History: Prescription histories delivered to prescribers grew 184% from 81 million in 2009 to 230 million in 2010.* Prescription Routing: Prescriptions routed electron icily grew 72% from 191 million in 2009 to 326 mil- lion in 2010.* EMR vs. Standalone E-Prescribing Software: About 79 percent of prescribers used EMRs in 2010, up from 70 percent in 2009.